You trust Lang.ai to help you structure your organization data. Our most important job is to keep your data safe along the way.
We provide our customers with security features like Role Based Access Controls, Multi-Factor authentication (MFA), and Single Sing-On (SSO).
Our SOC 2 Type II report attests to the controls we have in place governing the security of customer data as they map to Trust Service Principles established by the AICPA.
At Lang.ai, we have worked to enhance our products, processes, and procedures to ensure our practices are GDPR-compliant.
Lang.ai acts as a service provider to customers under the California Consumer Privacy Act (CCPA), and we support our customers’ compliance with the CCPA.
Lang.ai is optimized to be in line with all requirements of HIPAA, and we are able to execute a HIPAA Business Associate Agreements (BAAs) when required to ensure the security of PHI data.
Access to customer data is limited to authorized employees who require it for their job. Every access request needs to be approved and it's logged. MFA is enforced in all of our internal systems.
Production servers and databases are hosted in a dedicated VPC and are not publicly accessible. All servers are configured with two-factor authentication and all unnecessary ports are blocked by AWS Security Groups.
All customer data is encrypted at rest and in transit. We rely on AWS infrastructure to securely maintain our cryptographic encryption keys. Data is encrypted in-transit using TLS 1.2+ and at-rest using an industry standard AES-256 encryption algorithm.
Our infrastructure is defined and deployed using Terraform, with all changes reviewed prior to deployment. Our development and testing environments are separate from its production environment. Code development is done through a standard process that requires reviews.
Lang.ai hosts all its software in Amazon Web Services (AWS) facilities in the USA and Europe. Amazon provides an extensive list of compliance and regulatory assurances, including SOC 1-3, and ISO 27001. See Amazon’s compliance documents for more information.
We engage with third-parties to conduct penetration tests of the production environment at least annually. We have a process to automatically detect system vulnerabilities. We also collaborate with security researchers through our Vulnerability Disclosure Program.
Backups are performed daily and retained in accordance with a pre-defined schedule in the Backup Policy. Amazon S3 storage buckets are versioned. Our disaster recovery plan is tested every year.
We implemented an incident response policy that includes creating, prioritizing, assigning, and tracking follow-ups to completion. Breaches will be reported within 72 hours. A status page is kept up-to-date to inform of any incidents.